On Sat, 6 Jul 2002, Adam Young wrote: > I get this above scan, along with scans on default 1080/3128(or whatever > squids port is), and all of these are hourly, almost as if someone has > setup a cron job to scan my system on the hour each hour. Is this > normal? I've never seen it so prevelant in my system logs, so I figured > I'd post. Any ideas or comments would be greatly appreciated.
It looks like someone is scanning for proxies. If the scans seem to coming from all over the place, then most likely the individual is spoofing the source IP's. In that case, there's not much you can do about it other then block those ports. If the above IP's are valid, then it's possible that someone r00t'd a broadband host (very likely) and is looking for more broadband hosts to compromise. Someone who is scanning that often is going to get caught sooner than later because of the amount of noise and traffic they are generating. The only way to really tell if an IP is not spoofed is to look at the TTL. The default TTL's are usually 32, 64, 128, or 255. The default setting will vary depending on the OS and can even be manually changed (this is done very rarely). The are a few places that list what the default TTL's are for the various OS's. Looking at those scans I would assume that the default TTL that the source is using is 128 and they are 17 hops away from you. If you run a traceroute on that IP and they are 17 hops away, then more than likely the source IP was not spoofed. If the number of hops between you is different, then the source was spoofed (or they changed the default TTL) and there is really no way to determine where the scans originated. It is possible that a spoofed IP will have the same number of hops that the real one has. If an attacker scans you with spoofing enabled and you receive scans from 10 different IP's, then one of them should (keyword) be the actual source (the attacker has to get the results back somehow). Someone who knows what they are doing will make determining the actual source difficult and they may simply be sitting on the local network of one of the IP's sniffing the responses. So there is no real way to accurately determine the actual source of the scans. Because of this, complaining to what you think the source might be (or their admin/abuse dept.) is generally a waste of time for both sides. Sorry. dentonj -- chown me /world